Re: [SSHGuard-users] Blacklist behaviour with hell list

[Christos C. <ch...@cr...>]

> On 6 May 2021, at 00:08, Kevin Zheng <kev...@gm...> wrote:
> 
> Hi there,
> 
> On 5/5/21 12:44 PM, kaycee gb wrote:
>> The point is that after I remove the attacker's address from firewall rules,
>> new "attacks" are not detected and can go smoothly.
>> I think it has something to do with the code here:
>>>    /* address already blocked? (can happen for 100 reasons) */$
>>>    if (blocklist_contains(attack)) {$
>>>        sshguard_log(LOG_INFO, "%s has already been blocked.",$
>>>                attack.address.value);$
>>>        return;$
>>>    }
>> sshguard thinks that address is already blocked but shouldn't that address be
>> released and remove from hell list when blacklisting ?
> 
> SSHGuard assumes that nobody else is changing the firewall rules under its control while it is running. Under this assumption, it should not be possible for an attacker who is blacklisted to show up again. If this does happen, SSHGuard's current behavior is to warn about it without re-blocking the attacker.
> 
> Perhaps this behavior should change.
> 

I believe the way it works now is correct.

If you manually remove the IP from firewall table but keep the IP in blacklist.db if you reload sshguard it will block it again.

So why not remove the IP from blacklist.db and then reload sshguard?